December 2021 Videoconference

Meeting Details

• Date: 21 December 2021
• Time: 12PM US Eastern, UTC 1700 convert
• Location: Remote
• Call-in: Zoom Meeting

Agenda

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

• Previous Meeting Minutes - November 2021
• Special Board Meeting Minutes - December 14, 2021

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Pre-reading material

• Board Oversight Reporting
• November Financial Package
• Events and Corporate Support

e-Votes and Special Meeting Motions to read into minutes

Motion to replace the Foundation credit cards

Background: Currently, the OWASP Foundation has a $10k credit limit with two card holders personally guaranteed by the OWASP Executive Director. As the world opens up, and travel resumes, and as some of the Foundation’s monthly expenses rise, we regularly need to pay down the credit cards before the due date. Additionally, the activity is negatively affecting Andrew’s credit score. A better solution is for the OWASP Foundation to apply in its own right to a financial institution for new cards.

• eVote

Motion: “Resolved, the OWASP Foundation Executive Director and CFO are authorized to establish Foundation secured corporate credit cards for staff expenses and travel, with a total limit of $30k USD, replacing the personal guarantee Amex credit cards in use by the ED and one staff member today.”

• Sponsor: Grant Ongers
• Second: Sherif Mansour

Sherif Mansour:     YES
Vandana Verma:      YES
Grant Ongers:       YES
Bil Corry:          YES
Joubin Jabbari:     YES
Martin Knobloch:    YES
Owen Pendlebury:    No vote

Motion passes (6/0)

NEW BUSINESS

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

OWASP Draft Budget 2022

A discussion with Tom Pappas on the draft budget for 2022. Narrative TBA

• Draft budget sheet

Regional Chapter Policy

I will invite the Chapter committee to give a briefing to the Board on an official regional chapter model. Formalizing regional chapters is important, so we can provide certainty to all existing regional chapters, allow new regional chapters, and use the updated policy to help create business requirements for the selection of a new association management platform. All policies will need to be updated to allow full self-service, as there’s likely to be a lot of reorganization of existing chapters, and an influx of new regional chapters, which implies any policy or process that inserts manual steps needs to be changed to be more about execeptions or appeals.

Background Regional chapters have never existed in any OWASP policy or bylaws, and as such are a policy anomaly and should never have been approved or exist. However, they are some of the largest, most active, and oldest chapters, and beloved by their members for the most part. So we need a policy that meets OWASP community management objectives, such as “no chapter is the boss of any other chapter”, “chapters can’t stop other chapters from existing”, meet chapter activity requirements, access to expenses and shared services, and how best for the different types of chapters to work together within a region. Additionally, as we don’t have a policy, management of regional chapters varies dramatically all over the world. No two regional chapters are the same.

In the past, we have seen negative behavior with some using regional chapters for their resume or Linked In profile with no activity, or trying to dominate or lock out other chapters and chapter leaders by saying they are the leaders of the country or region.

We need a regional chapter policy that enshrines how they are established, maintained, and their geographic and policy boundaries to avoid negative outcomes, whilst documenting regional chapters for the first time. As the Foundation is writing our business requirements for a new association management system, regional chapters need to have a stable management model that is amenable to self-service and automation using the same AMS as city and student chapters. Without a policy, we cannot include regional chapter requirements in our selection, so this has become urgent to resolve.

The chapter committee was first asked to address the regional chapter problem in September 2020. They have consulted widely with the regional chapter community and have come up with a proposed model. From the proposed model, I have created two amendments, one that implements the model exactly, and one that is capable of being managed by many of the AMS’s we have identified already.

• Regional Chapters Policy Proposal
• Proposal choice 1 - as per proposal
• Proposal choice 2 - similar settings, but with an AMS in mind for all chapter types, including regional

The Foundation wants to ensure that Committees and Foundation Staff are not involved in day-to-day operational measures, but dealing with leader service that is outside the norms, exceptions, and appeals. Manual operational requirements come with an SLA and reduce client satisfaction, as almost all changes currently take at least 72 hours to implement. Asking a volunteer-led committee to insert themselves into operational matters is not a good use of volunteer time. From the Foundation perspective, all manual processes - whether staff led or committee led - do not improve the customer experience, adds unnecessary delays, and is harmful to staff productivity, an opportunity cost to volunteer time that could be better used on building out chapter initiatives, especially when many if not all day to day functions could become fully automated and self-service, with immediate turnaround and scalable impact.

The ask After a briefing and discussion between the Chapter Committee, the ask is for the Board to pick a proposed chapter policy amendment branch to be run through the Community Review Process. A reviewed draft policy brought to a vote in the January 2022 Board meeting. Once approved, the revised Chapter policy will allow the business requirements for regional chapters to be included for our evaluations of a new AMS. We are not asking for a vote today; we just want rough consensus that one of the two policy choices can be presented to the community for their review.

ADJOURNMENT

Adjournment motion

The next general Board meeting is on TBA, at 12 pm US Eastern Time.

• January 2022

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Sherif Mansour Second: TBA

Staff Reports

Executive Director

• Executive Director Report

As we close out 2021, it’s important to remember all the successes we’ve had. We’re ending the year on the highest ever member count, our 20th Anniversary was a tremendous success, and we have established several grants, which are actively being used to deliver project value by our project leaders and community. The OWASP Top 10 2021 was released and was well received by the public and many in our industry. We are leaving 2021 with a better balance sheet than at the start through all the hard work of our staff, Virtual, our community and the Board. We have our first new mission in 20 years, one that actually reflects what we do.

All of us - community, Board and staff alike should be proud of our collective successes, because we got it done collaboratively as a team.

We have completed the majority of policy reform, and compared to the community tumult of 2020, by returning to our community’s root and consent, 2021 has seen a lot of community return and actively participating in projects, meetings, and events. The last remaining policies to be reformed are:

• Regional chapter amendment for chapter policy (see above)
• Privacy (an update for a GDPR policy will be required, currently in progress)
• Travel policy (to be written)

In October, the LASCON team held one of the only in person events at OWASP worldwide, which although a success, demonstrated the limits of in person events being held during a pandemic. Our next in person AppSec Days event is SnowFroc in 2022. As there were significant doubts on the profitability of AppSec Dublin, the Board wisely chose to cancel the in person event, and change to a virtual event. Although not potentially as profitable as an in person event in a good year, there’s a good chance it will make more profit than many recent AppSec EU events. We will continue to monitor the profitability of our events.

Thank you to Owen Pendlebury, our 2020 Chair and Sherif Mansour, our current chair for their extraordianry service over the last four years. Personally, I am sure I will find their valuable counsel and direction will be missed by myself, and probably many on the Board and within the OWASP Community as well. I encourage them both to become involved in their passions for events and projects after their duties on the Board have finished.

Lastly, I want to say a HUGE thank you to all the OWASP Foundation staff and our partners at Virtual Inc (especially Tom Pappas) for one of the busiest and most successful years in OWASP history. Our team not only overachieved everywhere, we completed the majority of a packed Operating Plan including all of the necessary finance reform that had been holding our community back. Without our team’s immense efforts, OWASP would not be here today.

I look forward to the OWASP Foundation delivering improved customer experiences, more member benefits, and greater impact and community in 2022, along with a new association management platform. Lastly, and nothing is taken for granted, hopefully we can run an in-person Global AppSec San Francisco in November next year, and see many folks there safely in person.

Finance

• November Financial Package

Attached please find the financial package for the combined OWASP which represents financial performance for the eleven months ended November 30th, 2021. Statement of Activities – Accrual Basis

The following is a summary of the YTD Statement of Activities:

Revenue: On an accrual basis, total revenue through November 30th, 2021, is \1,010,548 as compared to an approved budget of $1,315,849. Revenues are under the approved budget by $305,301.

The reasons for this include:

• OWASP budgeted for an Australia day at $350,000 that did not happen.
• LASCON was budgeted at $110,00 though actual revenue was $86,300
• Individual Membership is $300,204 vs a Budget of $137,500 so $162,704 above Budget, vs Corp membership due to recognizing what we have earned (based on paid Corp membership) the budget is $183,33 vs actual of $122,750 or $60,583 below budget.
• Donations budgeted at $33,000 vs actual of $65,741 or $32,741 above Budget

Expenses: On an accrual basis, total expenses through November, 2021, are $988,802 as compared to an approved YTD budget of $1,378,680. The results are OWASP is $389,878 under the approved budget

The reasons for this include:

• Project spending is under budget by $48,475 due to less actual Project spending and Project Platform fees as compared to the 2021 Budget.
• Event spending is $289,595 BELOW budget due to no Australia day ($80K), LASCON $66K below budget along with being significantly below budget for all other 2021 events to date.
• Outreach is $3,930 below budget due to underspending in Marketing offset by Meetup fees.
• Chapter spending is $67,757 under budget due to travel restrictions and on line events
• G&A is $48,805 above budget due to Legal fees and Insperity payroll fees offset by underspending in Fundraising, EDU and WIA by $28,927 underspending

Net Income/Loss: Net Profit (Loss) as of November 30th, 2021, is $21,746. The approved budgeted net profit (loss) was Negative -$62,831. The actual net profit is better than budget by $84,577 due to underspending more than offsets the Revenue deficit 11 months through the year.

Months of Operational Reserve: With a cash balance of $1,475,281 which is $206,535 more than 11.30.20 less $77,809 of AP and $168,597 of Project reserves leaves about 13.7 months of Operational reserves and when the $361,333 of open AR is collected it will add about 4 months more of operational reserve. The Foundation while very well capitalized and well above the Non Profit industry Avg of 6 months of Operational reserve must still keep a close eye on spending and maximizing revenue opportunities as we close 2021 and move into 2022

Chapters and Membership

265 Active Chapters 53 New Chapters added to date - 16 are Student chapters 13 Chapters granted reactivation exception in May deactivated again:

Fix the inactive chapter merry-go-round

Leaders are not grasping that a meeting needs to occur in 90 days of reactivation. Requirements should be clear and simple to understand and automate.

• An inactive OWASP chapter is a chapter that has not met the minimum activity requirements defined in this policy.
• An inactive chapter must either be reactivated or dissolved.
• The OWASP Foundation will revoke the inactive chapter leadership and refer the inactive chapter to the Chapter Committee to help find fresh leadership or to run elections to elect new leadership.
• Use this form to reactivate a chapter. Where an inactive chapter does not hold a meeting within 90 days of being reactivated, or new leadership could not be appointed within 90 days of failing to meet activity targets, the Chapter Committee will discuss the inactive chapter and vote on it. If agreed, the chapter will be dissolved by the OWASP Foundation.

Currently, we have seen several chapters being given multiple chances to become active after the reactivation project concluded. In the following months, these leaders chose not to hold any meetings or activities. However, as soon as they were made inactive, they immediately contacted the Chapter Committee and were granted active status again, with no activity plan or new leadership requirements. Some are now due for their second or third deactivation this year as they again have failed to meet. Our current policy has no methods to stop inactive leaders maintaining inactive chapters indefinitely if they follow the current policy. For example, OWASP Cusco leadership submitted a ticket but did not have the agreement or meet with the Chapter Committee.

We either need to have no policy around inactive chapters as it’s completely ineffective now (which would be bad), or alternatively, it needs to be fixed so that inactive chapters are given a realistic chance of new leadership who will actually hold meetings. Being a leader is not a right, but a privilege, and it requires activity to maintain.

We need an re-activation plan amended into the policy to ensure chapters become active for the benefit of OWASP’s mission and our members, otherwise we will continue to waste valuable OWASP committee, volunteer, and staff time, and effectively allow OWASP funds to go down the drain month after month. Worst of all, local chapter members are denied meetings and our community.

One way to amend the chapter policy’s reactivation clauses is for inactive leaders to meet with the Chapter committee to discuss and document an agreed-upon plan to reactivate. The plan’s terms must include dates to complete, and should include that this is a final exception. A representative from the chapter leadership and Committee needs to be dated and signed to submit the ticket to reactivate to keep on file. If the terms of the activation plan are not successful, the chapter is made inactive, and the inactive leaders will not be permitted to hold another leadership position for a period of 12 months. A new leadership team not consisting of any of the ineligible leaders could step up during this time, to permit local members a chance to hold meetings and take over the chapter permanently.

With some luck, a policy change to provide a circuit breaker will stop the merry-go-round of reactivation for the benefit of our members.

Leaders as members

Historically since 2008, you don’t need to be an OWASP member to be an OWASP leader, which is practically unique in non-profit membership organizations such as OWASP.

Slowly over time, we have been increasing our membership to support OWASP’s mission and activities. It’s almost certainly time to re-evaluate the role of membership requirements for leaders. As this can be a controversial topic in OWASP by a very small minority of leaders (only 8% have taken up complimentary membership), it’s time to re-evaluate if complimentary membership and indeed optional membership for leaders is desirable from a policy perspective for a membership organization.

In 2020, the Board created a mechanism that allowed for complimentary membership for active leaders in 2020. Recently that changed it to remove the un-automatable aspects of the policy. Take up of complimentary membership has been very low by leaders, and it costs the Foundation funds to maintain and provide benefits to those 1.2% of members who do not pay any fees.

We recommend the Board consult with the 5400+ strong OWASP Member Community to detemine if it’s time to require OWASP leaders to be OWASP members, such as in pretty much all other membership organizations, and if so, if complimentary memberships should be abolished as it both demonstrates a lack of committment to the organization as well as devaluing the memberships of the other 5380+ members.

                17-Nov  17-Dec  Increase 
One Yr/Student  3444    3522    78
Two Yr          1084    1095    11
Lifetime        748     761     13
Complimentary   83      85      2

Total           5359    5463    104

Membership Benefit Partnerships in the pipeline:

• AppSec Phoenix - end of January 2022
• Security Journey - Security Dojo Contract negotiations

Events and Corporate Support

• December Update

Operations

• In the process of finalizing the onboarding of elected Board Members for 2022.
• Annual Conflict of Interest Questionnaire will be sent to all Board Members in the first week of January 2022.
• Tom finalizing new credit card for Operations for 2022.

Projects and Technology

Currently updating project/chapter/committee reporting items so project #s are not available

• 237+ Projects
• 6 New projects in the last 60 days

Technology

• Email for members/leaders cleanup testing completed successfully but will not resume until after the first of the year
• As mentioned, updating group reporting functionality
• Moving to Meetup GraphQL